macOS 11.0.1 (20B50), Sophos Endpoint 10.0.2 & Confirming Endpoint Protection

Happy Monday!

Per the following article …

https://community.sophos.com/intercept-x-endpoint/big-sur-eap/f/recommended-reads/124246/how-to-confirm-the-endpoint-is-protected

… on a physical hardware running macOS 11.0.1 (20B50) and Sophos Endpoint 10.0.2, I'm able to download, unzip and open "eicar.com" without any notifications from Sophos.

Parents Reply Children
  • Thanks for the prompt reply, .

    Step No. 7 presumes Terminal was previously granted full disk access.

    Let me test and advise.

  • I'm experiencing the same results after a reboot.

    Here's the output from a test MacBook Air:

    % sw_vers
    ProductName:	macOS
    ProductVersion:	11.0.1
    BuildVersion:	20B50
    
    % sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "select client,auth_value from access" | grep -i sophos | sort
    Password:
    com.sophos.endpoint.scanextension|2
    com.sophos.scan|0
    
    % systemextensionsctl list | grep -i sophos
    *	*	2H5GFH3774	com.sophos.endpoint.networkextension (1.0/2)	networkextension	[activated enabled]
    *	*	2H5GFH3774	com.sophos.endpoint.scanextension (1.0/1.0)	com.sophos.endpoint.scanextension	[activated enabled]
    
    % gzcat /Library/Logs/SophosDiagnostics.* | grep -e 'ESServer.*Cache Stat'
    gzcat: /Library/Logs/SophosDiagnostics.1.gz: unexpected end of file
    gzcat: /Library/Logs/SophosDiagnostics.1.gz: uncompress failed
    gzcat: /Library/Logs/SophosDiagnostics.5.gz: unexpected end of file
    gzcat: /Library/Logs/SophosDiagnostics.5.gz: uncompress failed
    2020-11-30 13:06:49.759 [SophosServiceManager 77:1814 TID:1782 ESServer PID:292] Create ScanD Cache Stat timer. (process: SophosScanD, pid: 494, xpc: com.sophos.esclient.xpc.SophosScanD.494.719DF)
    2020-11-30 13:11:49.721 [SophosServiceManager 77:1814 TID:12943 ESServer PID:292] [Cache Stat: Total 3331 item(s), hit ratio: 42.87095%, miss ratio: 57.12905%]
    2020-11-30 13:16:49.707 [SophosServiceManager 77:1814 TID:14867 ESServer PID:292] [Cache Stat: Total 3555 item(s), hit ratio: 42.646698%, miss ratio: 57.353306%]
    2020-11-30 13:21:49.723 [SophosServiceManager 77:1814 TID:16705 ESServer PID:292] [Cache Stat: Total 3956 item(s), hit ratio: 42.542194%, miss ratio: 57.457806%]
    2020-11-30 13:26:49.709 [SophosServiceManager 77:1814 TID:18143 ESServer PID:292] [Cache Stat: Total 4021 item(s), hit ratio: 42.49736%, miss ratio: 57.50264%]
    2020-11-30 13:31:49.696 [SophosServiceManager 77:1814 TID:19417 ESServer PID:292] [Cache Stat: Total 4390 item(s), hit ratio: 42.431564%, miss ratio: 57.56843%]
    2020-11-30 13:36:49.738 [SophosServiceManager 77:1814 TID:21216 ESServer PID:292] [Cache Stat: Total 4541 item(s), hit ratio: 42.712646%, miss ratio: 57.287354%]
    2020-11-30 13:41:49.722 [SophosServiceManager 77:1814 TID:23002 ESServer PID:292] [Cache Stat: Total 4558 item(s), hit ratio: 42.952408%, miss ratio: 57.047592%]
    2020-11-30 13:46:49.712 [SophosServiceManager 77:1814 TID:24282 ESServer PID:292] [Cache Stat: Total 4558 item(s), hit ratio: 43.005974%, miss ratio: 56.994026%]
    2020-11-30 13:51:49.698 [SophosServiceManager 77:1814 TID:26686 ESServer PID:292] [Cache Stat: Total 6437 item(s), hit ratio: 41.309708%, miss ratio: 58.690292%]
    2020-11-30 13:56:49.729 [SophosServiceManager 77:1814 TID:34697 ESServer PID:292] [Cache Stat: Total 8974 item(s), hit ratio: 61.980217%, miss ratio: 38.019783%]
    2020-11-30 14:01:49.711 [SophosServiceManager 77:1814 TID:36920 ESServer PID:292] [Cache Stat: Total 9039 item(s), hit ratio: 61.590492%, miss ratio: 38.409504%]
    2020-11-30 14:02:47.533 [SophosServiceManager 77:1814 TID:37314 ESServer PID:292] Invalidate ScanD Cache Stat timer. (process: SophosScanD, pid: 494, xpc: com.sophos.esclient.xpc.SophosScanD.494.719DF)
    gzcat: /Library/Logs/SophosDiagnostics.gz: unexpected end of file
    gzcat: /Library/Logs/SophosDiagnostics.gz: uncompress failed
    2020-11-30 14:03:07.423 [SophosServiceManager 77:1814 TID:37585 ESServer PID:292] Create ScanD Cache Stat timer. (process: SophosScanD, pid: 3335, xpc: com.sophos.esclient.xpc.SophosScanD.3335.EBB37)

    P.S. The last line of Step No. 7.a.A. most likely should be the first line of Step No. 7.b.

  • That is odd as the output all looks as expected.

    Could you trigger an SDU and PM me the filename - we'll get someone to look a bit deeper.

    https://support.sophos.com/support/s/article/KB-000038603?language=en_US

  • Happy Tuesday! I'm happy to hear things are working as expected.

    The team would still like to examine an SDU to understand why it was missed in the first instance. If you were able to find the time to trigger an SDU we'd be grateful.